1N/A * tcpsnoop.d - snoop TCP network packets by process. 1N/A * Written using DTrace (Solaris 10 3/05) 1N/A * This analyses TCP network packets and prints the responsible PID and UID, 1N/A * plus standard details such as IP address and port. This captures traffic 1N/A * of newly created TCP connections that were established while this program 1N/A * was running. It can help identify which processes is causing TCP traffic. 1N/A * WARNING: This script may only work on Solaris 10 3/05, since it uses the 1N/A * fbt provider to trace the raw operation of a specific version of the kernel. 1N/A * In the future, a 'stable' network provider should exist which will allow 1N/A * this to be written for that and subsequent versions of the kernel. In the 1N/A * meantime, check for other versions of this script in the /Net directory, 1N/A * $Id: tcpsnoop.d 69 2007-10-04 13:40:00Z brendan $ 1N/A * LADDR local IP address 1N/A * RADDR remote IP address 1N/A * LPORT local port number 1N/A * RPORT remote port number 1N/A * SIZE packet size, bytes 1N/A * SEE ALSO: snoop -rS 1N/A * COPYRIGHT: Copyright (c) 2005, 2006 Brendan Gregg. 1N/A * The contents of this file are subject to the terms of the 1N/A * Common Development and Distribution License, Version 1.0 only 1N/A * (the "License"). You may not use this file except in compliance 1N/A * See the License for the specific language governing permissions 1N/A * and limitations under the License. 1N/A * Author: Brendan Gregg [Sydney, Australia] 1N/A * 09-Jul-2004 Brendan Gregg Created this. 1N/A * 12-Mar-2005 " " Changed probes, size info now printed. 1N/A * 02-Jul-2005 " " Many more probes. Renamed "tcpsnoop.d". 1N/A * 03-Dec-2005 " " Fixed tcp_accept_finish bug, now 100% correct 1N/A * execname. Thanks Kias Belgaied for expertise. 1N/A * 20-Apr-2006 " " Fixed SS_TCP_FAST_ACCEPT bug in build 31+. 1N/A * 20-Apr-2006 " " Last update. 1N/A /* print main headers */ 1N/A printf(
"%5s %6s %-15s %5s %2s %-15s %5s %5s %s\n",
1N/A "UID",
"PID",
"LADDR",
"LPORT",
"DR",
"RADDR",
"RPORT",
1N/A * TCP Process inbound connections 1N/A * 0x00200000 has been hardcoded. It was SS_TCP_FAST_ACCEPT, but was 1N/A * renamed to SS_DIRECT around build 31. 1N/A * TCP Process outbound connections 1N/A * TCP Data translations 1N/A /* fetch IPv4 addresses */ 1N/A /* convert type for use with lltostr() */ 1N/A /* stringify addresses */ 1N/A /* fix direction and save values */ 1N/A /* all systems go */ 1N/A * TCP Process "port closed" 1N/A /* split addresses */ 1N/A /* stringify addresses */ 1N/A * TCP Fetch "port closed" ports 1N/A * TCP Print "port closed" 1N/A printf(
"%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n",
1N/A printf(
"%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n",
1N/A /* follow inetd -> in.* transitions */ 1N/A /* follow inetd -> in.* transitions */ 1N/A * TCP Complete printing outbound handshake 1N/A /* this packet occured before connp was fully established */ 1N/A printf(
"%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n",
1N/A * TCP Complete printing inbound handshake 1N/A /* these packets occured before connp was fully established */ 1N/A printf(
"%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n",
1N/A printf(
"%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n",
1N/A printf(
"%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n",
1N/A /* print output line */ 1N/A printf(
"%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n",
1N/A * TCP Clear connect variables 1N/A * TCP Clear r/w variables